“Think Bad. Do Good” Podcast Episode 3: Best Practices in Threat-Informed Defense

AttackIQ’s Ben Opel and Jonathan Reiber discuss threat-informed defense lessons-learned from their time serving in the U.S. Department of Defense in the U.S. Marine Corps and the Office of the U.S. Secretary of Defense. In this podcast, listeners will learn about how to implement a threat-informed defense strategy in the public and private sectors,… Read More

AttackIQ’s Ben Opel and Jonathan Reiber discuss threat-informed defense lessons-learned from their time serving in the U.S. Department of Defense in the U.S. Marine Corps and the Office of the U.S. Secretary of Defense.

In this podcast, listeners will learn about how to implement a threat-informed defense strategy in the public and private sectors, and leave better equipped to effect positive change in their organization. Why is this important? Today the cybersecurity community is evolving from a fortress mentality of “network defense” to a “threat-informed defense” approach. Over the last decade, the U.S. military has been at the forefront in this transition, first in the intelligence-operations bond that developed between analysts and warfighters during the conflict in Afghanistan and Iraq and against al-Qaeda, and then in cybersecurity at U.S. Cyber Command.

What does this mean in practice? Traditionally in cybersecurity, “blue” team defenders focused their strategies on meeting baseline cybersecurity best-practices: correcting misconfigurations, administering patches, and deploying commercial products.  Red teams were smaller and testing occurred periodically and not at the requisite scale to validate the blue team’s defense effectiveness. If blue teams fail to orient towards the most important threats, resources are often wasted; absent effective testing, security controls likely fail.

Now the strategy is changing. Three lessons emerge from the evolution of threat-informed defense in the U.S. military. It is important to (1) understand the adversary’s approach; (2) identify valuable data and defense capabilities; (2) build tight bonds between teams to focus on known threats and test your defenses. A leader also needs to be appointed to manage threat-informed defense across an organization, similar to the dual-hat of the Director of the NSA and Commander, U.S. Cyber Command. Using the MITRE ATT&CK framework, security teams can adopt a threat-informed defense approach and optimize their security programs.

Ben Opel is Director for Customer Success at AttackIQ, where he also serves as a Purple Team instructor at AttackIQ Academy. A former officer in the U.S. Marine Corps, Opel led, trained, and integrated Marines in defensive cyberspace operations in support of U.S. national security objectives. His experience includes identifying and securing key network terrain in support of U.S. Special Operations Forces and assessing emerging technological risks to the U.S. Marine Corps and U.S. national security. He is a graduate of the U.S. Naval Academy.